Information Security News | AI Aggregator

Three vulnerabilities in Anthropic's mcp-server-git, a Git Model Context Protocol server, allow unauthorized file access and code execution. CVE-2025-68143 and CVE-2025-68145 are path traversal issues, while CVE-2025-68144 involves argument injection. Exploitation could enable attackers to manipulate Git repositories and execute malicious code. The vulnerabilities have been patched in versions 2025.9.25 and 2025.12.18. Users are advised to update to these versions for protection.

Three security vulnerabilities in Anthropic's mcp-server-git, identified by Cyata, allow prompt injection attacks that can manipulate AI assistants without direct system access. Affecting all versions before December 8, 2025, the flaws enable code execution, file deletion, and exposure of sensitive files. Assigned CVEs are CVE-2025-68143, CVE-2025-68144, and CVE-2025-68145. Anthropic released fixes in December 2025. Users are advised to update and review MCP server configurations.

Three vulnerabilities in Anthropic's Git MCP Server could allow attackers to execute prompt injection attacks, potentially compromising large language models (LLMs). Researchers from Cyata warn that these vulnerabilities could enable unauthorized code execution or tampering with LLM outputs. Infosec leaders are advised to ensure that corporate developers update to the latest version of the Git MCP server promptly to mitigate these risks.

Russian-aligned hacktivist groups are intensifying cyber attacks against UK organizations, particularly local governments and critical infrastructure, primarily through denial-of-service (DoS) attacks. The UK National Cyber Security Centre (NCSC) issued a warning today, urging organizations to bolster defenses. Notably, the group NoName057(16) has been active since March 2022, targeting UK and NATO entities. The NCSC emphasizes that these ideologically motivated attacks can significantly disrupt essential services and recommends reviewing DoS protections.

The UK NCSC warns that Russia-linked hacktivists, particularly the group NoName057(16), are conducting DDoS attacks on critical infrastructure and local government systems. The attacks, ideologically motivated, target organizations supporting Ukraine. The NCSC advises strengthening defenses, understanding vulnerabilities, utilizing DDoS protections, and preparing response plans. These groups exploit poorly secured VNC connections, affecting sectors like water, food, and energy. The alert emphasizes the need for improved cyber resilience.

Russian-aligned hacktivist groups are targeting UK organizations with denial-of-service (DoS) attacks, according to the National Cyber Security Centre (NCSC). Local authorities and critical infrastructure operators are particularly urged to enhance defenses. The NCSC recommends reviewing ISP protections, considering third-party DDoS mitigation, and ensuring infrastructure can scale to handle attacks. These attacks, driven by ideology rather than financial gain, aim to disrupt essential services. Organizations are advised to follow NCSC guidance to bolster defenses.

The UK's National Cyber Security Centre (NCSC) warned of ongoing cyber threats from pro-Russian hacktivist groups, particularly NoName057(16), which has targeted U.K. and NATO organizations with disruptive DDoS attacks since 2022. These groups, motivated by ideology, disrupt critical services and share tactics via Telegram and GitHub. The NCSC's advisory follows a similar warning from the U.S. CISA, highlighting the potential for real-world disruption, particularly in critical infrastructure sectors.

On January 19, 2026, the NCSC issued a warning about Russian-aligned hacktivist groups targeting UK organizations with disruptive denial-of-service (DoS) attacks. These attacks aim to cripple essential services and public-facing websites, posing significant operational risks. The NCSC recommends implementing DDoS protections, creating response plans, and utilizing available technical guidance. The ongoing threat necessitates prioritizing DoS resilience, particularly for organizations providing essential public services. Continuous monitoring of alerts is crucial.

The U.K.’s National Cyber Security Centre warned that pro-Russia hacktivists, particularly the group NoName057(16), are targeting critical infrastructure and local governments, linked to support for Ukraine. Officials advised security teams to enhance defenses against potential denial of service attacks. This follows a December advisory on various hacktivist groups. Experts anticipate increased threat activity in 2026, noting a trend of escalatory hacktivism aligned with state narratives.

A vulnerability in Google Gemini allowed unauthorized access to private calendar data through malicious invites, enabling attackers to extract sensitive information without user interaction. The flaw was exploited by embedding a prompt in a calendar event, which was activated when users queried their schedule. Although addressed, this incident highlights the security risks associated with AI features. Additionally, multiple vulnerabilities in AI systems were reported, emphasizing the need for robust security measures and constant evaluation of AI applications.

A vulnerability in Google Calendar allowed attackers to bypass privacy controls using calendar invites, exploiting a method called "Indirect Prompt Injection." This enabled unauthorized access to private meeting data without user interaction. The attack involved embedding malicious instructions in the invite's description, which were executed by Google Gemini when the user interacted with it. Google confirmed the issue and has since implemented a fix to address the vulnerability.

A newly identified vulnerability in Google’s Gemini allows attackers to exploit calendar invitations to manipulate the AI's behavior. Reported by Miggo, the flaw enables attackers to insert malicious instructions into event fields, which Gemini interprets to assist users. This highlights significant security risks as enterprises increasingly integrate generative AI into their workflows. The report emphasizes the need for caution in how event data is handled to prevent such exploitation.

A security flaw in Google Gemini allows attackers to use calendar invites for prompt injection attacks, enabling the exfiltration of private meeting data with minimal user interaction. Researchers from Miggo Security found that malicious prompts could be embedded in calendar entries, leading to unauthorized access to sensitive information. This vulnerability has been mitigated, reducing the risk of exploitation.

Hackers are exploiting the PDF24 App to deploy a backdoor known as PDFSIDER, identified by Resecurity after a Fortune 100 company blocked an intrusion attempt. The attack involves spear-phishing emails leading to a ZIP file containing the legitimate PDF24 App, manipulated via DLL side-loading. PDFSIDER operates stealthily in memory, using AES-256-GCM encryption for data exfiltration. The malware is linked to Advanced Persistent Threats and has shown persistence, with ties to groups like Mustang Panda.

Researchers have identified a new malware strain named PDFSIDER, designed for covert, long-term access to compromised systems. Delivered via DLL side-loading, it installs an encrypted backdoor while evading detection. The malware uses spear-phishing emails with a fake PDF application to initiate infection. It features an encrypted command-and-control channel, remote command execution, and anti-analysis checks to avoid detection. PDFSIDER is assessed as a targeted threat, primarily aimed at cyber-espionage rather than mass distribution.

PDFSIDER malware utilizes DLL side-loading and social engineering tactics to evade antivirus and endpoint detection systems. Discovered during an intrusion attempt against a Fortune 100 energy corporation, it employs a fake cryptbase.dll to deploy a backdoor with encrypted C2 capabilities. The malware is delivered via spear-phishing emails containing a ZIP file with a legitimate EXE labeled ‘PDF24 App.’ PDFSIDER is linked to APT behaviors and is actively used by ransomware actors for covert operations.

Cybersecurity researchers revealed the KongTuke campaign, utilizing a malicious Chrome extension, "NexShield – Advanced Web Guardian," to deliver ModeloRAT. This extension, posing as an ad blocker, crashes the browser and prompts users to execute commands, leading to a denial-of-service attack. Once installed, it tracks victims and executes malicious payloads. ModeloRAT targets domain-joined machines, facilitating deeper access for threat actors. The campaign highlights evolving social engineering tactics in cyber threats.

Security researchers have identified a malicious campaign named CrashFix, attributed to the threat cluster KongTuke. This campaign uses a fake Chrome extension, NexShield-Advanced Web Protection, masquerading as an ad-blocker to deliver ModelRAT malware. The extension mimics legitimate tools like uBlock Origin Lite and remains inactive initially. It then destabilizes the browser, prompting victims to execute attacker-supplied commands under the guise of a “repair” prompt.

Researchers identified a malicious browser extension named “NexShield – Advanced Web Protection” in the Chrome Web Store, designed to crash browsers and trick users into executing harmful commands. After a 60-minute delay, it initiates a denial-of-service loop, leading to crashes. Users are misled into running a malicious command from their clipboard. If the device is domain-joined, it installs a Python RAT called ModeloRAT. Recommendations include verifying extensions, avoiding untrusted commands, and using reliable security solutions.

A new campaign by the KongTuke hacking group utilizes a fake ad blocker, NexShield, to deploy ModeloRAT malware. The extension, a clone of uBlock Origin Lite, launches a denial-of-service attack to crash browsers, prompting users to run a fake security scan. This scan installs ModeloRAT, allowing hackers to steal sensitive information. The malware employs fingerprinting techniques to evade detection, targeting business users specifically. Users are advised to verify extension developers and be cautious of unexpected prompts.

A new ClickFix variant uses a fake ad blocker called NexShield to spread malware, specifically targeting enterprise users. Developed by the threat actor KongTuke, it crashes browsers to trick users into installing ModeloRAT, a remote access trojan. The attack begins an hour after installation, creating a denial-of-service condition that prompts users to restart their browser and follow a fake error message to execute a command that installs the malware. Security researchers Huntress identified this evolving threat.

A fake Chrome extension named NexShield, masquerading as an ad blocker, creates a denial-of-service condition in Google Chrome by exhausting system memory. Once the browser crashes, it prompts users to run a fake scan, leading to a ClickFix-style attack that downloads the ModeloRAT malware. Targeting business users, NexShield has been removed from the Chrome Web Store. Users are advised to avoid clicking on ads for extensions, verify ratings, and refrain from executing suspicious commands.

Cybersecurity researchers identified an XSS vulnerability in the StealC malware control panel, enabling them to gather data on threat actor operations. The StealC information stealer, launched in January 2023, has been distributed via YouTube and other methods. The flaw allowed researchers to collect system fingerprints and session cookies. A specific threat actor, YouTubeTA, was linked to over 390,000 stolen passwords and 30 million cookies. The research highlights security weaknesses in the malware's design, potentially aiding in identifying other operators.

Security researchers exploited a cross-site scripting (XSS) vulnerability in the StealC infostealer's web panel, enabling them to gather evidence on its operations. The vulnerability allowed the retrieval of active session cookies and identification of the threat actor, “YouTubeTA,” who stole 390,000 passwords and over 30 million cookies. The research revealed weaknesses in cookie security and code quality, suggesting that similar flaws in other malware could help identify operators.

Researchers identified an XSS vulnerability in the StealC malware control panel, revealing details about the operator "YouTubeTA." Active since 2023, StealC is a Malware-as-a-Service infostealer targeting cookies and passwords. The flaw allowed tracking of the operator's sessions and hardware details. YouTubeTA exploited hijacked YouTube accounts to steal credentials, focusing on creators. Evidence suggests the operator is a single individual based in Eastern Europe, having stolen hundreds of thousands of credentials in a few months.

CyberArk researchers accessed the StealC infostealer's control panel through a source code leak and an XSS vulnerability. They identified a threat actor named "YouTubeTA," who compromised YouTube channels, resulting in 390,000 stolen passwords and 30 million cookies. The attacker used an Apple M3 device, with traces leading to Ukraine. CyberArk aims to disrupt StealC's operations by attracting scrutiny and potential attacks from other entities.

A 40-year-old Jordanian national, Feras Khalil Ahmad Albashiti, pleaded guilty to selling unauthorized access to at least 50 company networks, exploiting two firewall products in 2023. He sold access to an undercover FBI agent in May 2023 and was later found to have sold malware that disabled endpoint detection and response systems. Albashiti was arrested in July 2024 and faces up to 10 years in prison and a $250,000 fine. Sentencing is scheduled for May 2025.

Feras Khalil Ahmad Albashiti, a Jordanian national, pleaded guilty to being an initial access broker for cyberattacks on at least 50 US companies in 2023. He sold access to these businesses to an undercover FBI agent for $5,000, providing IP addresses and bypass instructions. Albashiti also sold EDR-disabling malware for $15,000, revealing his IP during a demonstration. He is implicated in a ransomware attack causing $50 million in losses. Sentencing is set for May 11, 2026, with a maximum of ten years in prison and a $250,000 fine.

Feras Khalil Ahmad Albashiti, a Jordanian man, pleaded guilty in a US federal court for selling stolen login credentials to at least 50 companies, facilitating unauthorized access to their networks. The transaction occurred on May 19, 2023, with an undercover officer in an online forum. Albashiti faces a maximum penalty of 10 years in prison and a $250,000 fine. His extradition from Georgia was arranged by the DOJ, with sentencing set for May 11, 2026. Proceeds from the crime are subject to forfeiture.

Feras Khalil Ahmad Albashiti, a Jordanian man, pleaded guilty to selling unauthorized access to the networks of at least 50 companies, as announced by the US Attorney’s Office on a recent Thursday. He operated under the alias 'r1z' on an online forum, selling access in exchange for cryptocurrency. His activities included exploiting vulnerabilities like CVE-2021-42321 and CVE-2022-26134. Albashiti was extradited to the US and faces sentencing on May 11, 2026, with a potential 10-year prison term.

A Jordanian man, Feras Khalil Ahmad Albashiti, pleaded guilty in a US court to selling unauthorized access to the networks of at least 50 companies. Operating under the alias “r1z,” he sold access for cryptocurrency during an undercover sting in May 2023. Albashiti was arrested in Georgia and extradited in July 2024. He faces up to 10 years in prison and a $250,000 fine, with sentencing scheduled for May 11, 2026.

Ukrainian and German authorities have identified two Ukrainians linked to the Black Basta ransomware group and placed its alleged Russian leader, Oleg Nefedov, on an international wanted list. Active since early 2022, Black Basta has extorted hundreds of companies, including ABB and Ascension, causing significant financial damage. The suspects specialized in breaching systems and deploying ransomware. Digital devices and cryptocurrency were seized during police raids in Ukraine. Nefedov is suspected of orchestrating the group's operations and may be in Russia.

Ukrainian and German authorities have identified two Ukrainians linked to the Black Basta ransomware group, with leader Oleg Nefedov added to the EU's Most Wanted and INTERPOL's Red Notice lists. Nefedov, a Russian national, is accused of orchestrating cyberattacks and extorting money through ransomware. Black Basta, active since April 2022, has targeted over 500 companies and earned hundreds of millions in cryptocurrency. Following leaks of internal communications, the group has reportedly gone silent since February 2025.

Ukrainian and German police conducted operations against the Black Basta ransomware group, identifying two Ukrainian suspects and issuing an international wanted notice for the group's alleged Russian leader, Oleg Nefedov. Black Basta, active since April 2022, has impacted over 500 organizations globally, causing damages exceeding $20 million in Germany alone. The group is linked to over 329 victims and has accumulated at least $107 million in Bitcoin ransoms. Investigations are ongoing, with evidence seized during the raids.

Das BKA und die ZIT fahnden nach dem mutmaßlichen Anführer der Ransomware-Gruppe Black Basta, die für zahlreiche Angriffe in Deutschland verantwortlich ist. In der Ukraine wurden Wohnräume durchsucht und Beweismittel gesichert. Black Basta gilt als eine der aktivsten Ransomware-Gruppierungen, die zwischen März 2022 und Februar 2025 über 100 Unternehmen und Institutionen in Deutschland erpresste und dabei mehr als 20 Millionen Euro erbeutete.

On January 15, law enforcement in Ukraine and Germany raided two suspected members of the Black Basta ransomware group in Lviv and Ivano-Frankivsk, seizing digital storage devices and cryptocurrency. The suspects, identified as 'hash crackers,' facilitated unauthorized access to corporate systems, leading to significant data theft and ransomware deployment. The group has attacked hundreds of organizations from 2022 to 2025, causing damages in the hundreds of millions of euros. Oleg Evgenievich Nefedov, a key figure, is now on Europol’s Most Wanted list.

A data breach at the Canadian Investment Regulatory Organization (CIRO) affected approximately 750,000 individuals due to a phishing attack in August 2025. The breach exposed sensitive personal and financial data, including income, IDs, and account details, but no passwords or PINs were compromised. CIRO contained the incident, notified authorities, and launched a forensic investigation. They are offering two years of free credit monitoring and identity theft protection to affected individuals.

On January 14, 2026, CIRO confirmed a data breach affecting approximately 750,000 Canadian investors due to a phishing attack disclosed in August 2025. The breach compromised sensitive information, including dates of birth, social insurance numbers, and investment account details. CIRO did not collect login credentials, ensuring account security. They are offering two years of credit monitoring and identity theft protection to affected individuals and have engaged forensic investigators to address the incident.

A cyberattack on the Canadian Investment Regulatory Organization (CIRO) in mid-August 2025 exposed sensitive data of approximately 750,000 investors, including dates of birth, phone numbers, and social insurance numbers. No passwords or PINs were stolen. CIRO has completed its investigation, which took over 9,000 hours, and found no data on the dark web. Affected individuals will receive two years of free credit monitoring and identity theft protection services. CIRO will notify those impacted via email.

A coordinated campaign has been identified involving five malicious Chrome extensions that hijack enterprise sessions by stealing authentication tokens. These extensions, disguised as productivity tools, target popular HR and ERP platforms, enabling full account takeovers. Researchers from Socket.dev revealed that the extensions not only facilitate credential theft but also disrupt security controls, posing a significant threat to enterprise security.

Five malicious Chrome extensions have targeted enterprise HR and ERP platforms, including Workday, NetSuite, and SuccessFactors, enabling complete account takeover through session hijacking. These extensions, published under the name databycloud1104 and softwareaccess, have reached over 2,300 users. They steal authentication tokens, disable security controls, and block administrative access to critical functions. The extensions utilize bidirectional cookie injection and continuous session token extraction, complicating incident response efforts.

A set of malicious Google Chrome Extensions targeting Workday, Netsuite, and SAP SuccessFactors has been identified, stealing cookies and blocking incident response. Discovered by Socket, these extensions masqueraded as productivity tools and were downloaded by 2,300 users before removal. They extracted authentication cookies and session tokens, and employed tactics to hinder incident response. Socket recommends implementing Chrome Enterprise extension allowlists and monitoring for similar extensions to prevent compromises.

Security researchers Socket identified five malicious Chrome extensions impersonating HR/ERP platforms like Workday and NetSuite, enabling credential theft and session hijacking. Although removed from the Chrome Web Store, they remain on third-party sites. The extensions, downloaded 2,739 times, pose risks of full account takeovers, potentially leading to large-scale cyberattacks. Users are advised to uninstall these plugins and conduct thorough scans for infections. Some extensions were published over four years ago.

Cisco released security updates for a critical remote command execution vulnerability (CVE-2025-20393, CVSS 10.0) in Cisco AsyncOS Software for Secure Email Gateway, exploited by the China-linked APT UAT-9686. The flaw arises from insufficient validation in the Spam Quarantine feature. Successful exploitation allows root command execution. Cisco advises customers to update to fixed versions and implement hardening measures, including firewall protection and strong authentication.

Cisco confirmed active exploitation of a critical zero-day RCE vulnerability (CVE-2025-20393) in its Secure Email Gateway, allowing unauthenticated attackers to execute commands via crafted HTTP requests. The flaw, stemming from improper input validation, has a CVSS score of 10.0. Exploitation targets appliances with Spam Quarantine enabled. Cisco released patches and recommends immediate upgrades. The U.S. CISA added the CVE to its Known Exploited Vulnerabilities catalog, mandating mitigation by December 24, 2025.

China-linked APT UAT-9686 exploited a critical AsyncOS flaw (CVE-2025-20393, CVSS 10.0) in Cisco Secure Email products, allowing root command execution. Cisco detected attacks on exposed appliances with Spam Quarantine enabled, which is disabled by default. The vulnerability arose from improper HTTP request validation. Attackers deployed a persistence mechanism, AquaShell, and tools for reverse tunneling and log deletion. Cisco confirmed the flaw has been patched, and only misconfigured systems were compromised.

Cisco has released security updates for its Email Security Gateway and Secure Email and Web Manager devices to address CVE-2025-20393, a vulnerability exploited by suspected Chinese attackers since late November 2025. This flaw allows unauthenticated attackers to execute arbitrary commands due to insufficient validation of HTTP requests. Affected appliances had the Spam Quarantine feature enabled. Customers are urged to upgrade to specific AsyncOS versions to mitigate the risk and clear identified persistence mechanisms.

Cisco has patched a critical remote code execution vulnerability (CVE-2025-20393) in its Secure Email appliances, which was reportedly exploited by Chinese state-sponsored hackers for weeks. The flaw, disclosed in December 2025, allowed attackers to execute arbitrary commands with root privileges. The patch removes persistence mechanisms used by the attackers. Cisco urges affected customers to upgrade to the fixed software release, though the extent of the compromise remains unclear.

Cisco has patched a critical zero-day vulnerability, CVE-2025-20393, in its Secure Email Gateway products, affecting AsyncOS Software. The flaw, present since December, allows attackers to gain root access to the appliance when the Spam Quarantine feature is enabled and exposed to the internet. This vulnerability received a CVSS score of 10, indicating its critical severity. Organizations using these products are urged to apply the patch promptly to mitigate risks.

Wiz Research identified a critical vulnerability, CodeBreach, in AWS CodeBuild that allowed attackers to hijack key AWS GitHub repositories, including the AWS JavaScript SDK. The flaw was due to unanchored regex patterns in build triggers, enabling unauthorized access to privileged credentials. AWS promptly remediated the issue and implemented new security measures, including a Pull Request Comment Approval build gate. Organizations are advised to secure their CodeBuild projects by limiting permissions and preventing untrusted builds.

A critical misconfiguration in AWS's CodeBuild service, identified by Wiz researchers, allowed potential takeover of AWS's GitHub repositories, posing a risk to all AWS environments. The flaw stemmed from unanchored regex in webhook filters, enabling unauthorized access. AWS fixed the issue within 48 hours of disclosure, asserting no customer impact. The vulnerability highlights a broader CI/CD security challenge across cloud services, with implications for supply chain attacks and potential exploitation by malicious actors.

A critical vulnerability in the AWS Console, named CodeBreach, could have allowed attackers to take over core AWS GitHub repositories, particularly the AWS JavaScript SDK, impacting two-thirds of cloud environments. Disclosed to AWS in August 2025, the flaw stemmed from a Regex filter issue in AWS CodeBuild CI pipelines. AWS implemented hardening measures, including a Pull Request Comment Approval build gate. No evidence of exploitation exists, but users are advised to create unique access tokens for CodeBuild projects.

A critical misconfiguration in AWS CodeBuild, dubbed CodeBreach, exposed AWS's GitHub repositories, including the AWS JavaScript SDK, to potential takeover. The flaw allowed unauthenticated attackers to breach CI pipelines and leak privileged credentials. AWS fixed the issue in September 2025 after responsible disclosure. Recommendations include ensuring regex patterns in webhook filters are anchored, limiting Personal Access Token permissions, and using unprivileged accounts for CI/CD integration. No evidence of exploitation was found.

A misconfiguration in AWS CodeBuild could have enabled unauthorized access to numerous AWS GitHub repositories and applications, according to researchers at Wiz. The vulnerability arose from a flaw in the CI pipeline's handling of build triggers, where two missing characters in a regex filter allowed attackers to infiltrate the build environment and expose privileged credentials. The regex filter is designed to prevent the leakage of secrets from log outputs.

A critical misconfiguration in AWS CodeBuild allowed unauthenticated attackers to take control of key AWS GitHub repositories, including the AWS JavaScript SDK. The vulnerability stemmed from unanchored regex patterns in webhook filters, enabling bypass through GitHub ID overlaps. Attackers exploited this to submit malicious pull requests, extracting a GitHub Personal Access Token (PAT) with admin privileges. AWS fixed the issue within 48 hours, ensuring no customer data was impacted. Recommendations include anchoring regexes and using fine-grained PATs.

A critical misconfiguration in AWS CodeBuild, named “CodeBreach,” allowed unauthorized privileged builds, risking exposure of GitHub tokens and potential supply chain attacks. Discovered by Wiz, the flaw was reported in late August 2025 and fixed within 48 hours. AWS implemented safeguards, audited public build environments, and found no evidence of exploitation. Users are advised to review CI/CD configurations, anchor regex filters, and limit token privileges to enhance security.

A vulnerability named CodeBreach was discovered in AWS CodeBuild, linked to two missing characters in a security filter, risking the AWS JavaScript SDK and potentially allowing hackers to access privileged credentials and take over the software repository. Wiz Research alerted Amazon on August 25, 2025, and AWS fixed the issue within 48 hours. Users are advised to enable a Pull Request Comment Approval gate to enhance security. The incident highlights the rising risks from small oversights in code.

Mandiant has released a rainbow table that can crack administrative passwords protected by Microsoft’s NTLM.v1 hash algorithm in under 12 hours using consumer hardware costing less than $600. This database, hosted in Google Cloud, targets Net-NTLMv1 passwords used in network authentication. Despite known vulnerabilities, NTLMv1 is still used in sensitive networks due to legacy app dependencies and the costs associated with migration. Mandiant aims to help security professionals demonstrate the protocol's insecurity.

Mandiant has released a dataset of Net-NTLMv1 rainbow tables, highlighting the security risks of this deprecated protocol. The release allows credential recovery in under 12 hours using consumer-grade hardware, making it a practical attack vector. Organizations are urged to migrate away from Net-NTLMv1, as it can be exploited through known plaintext attacks. Immediate mitigation includes disabling Net-NTLMv1 and configuring systems to use NTLMv2 only. Continuous monitoring is essential to prevent post-compromise downgrades.

Mandiant released tools to crack Microsoft’s Net-NTLMv1 authentication protocol in under 12 hours, highlighting its vulnerability to credential theft. The dataset allows security professionals to demonstrate this weakness using consumer hardware. Mandiant urges organizations to disable Net-NTLMv1 immediately. Additionally, a US Navy sailor was sentenced to 16 years for selling secrets to China, and a hacker pleaded guilty to accessing the US Supreme Court's filing system. Interpol apprehended 34 members of the Nigerian crime syndicate Black Axe.

Mandiant has released a pre-computed rainbow table lookup to crack NTLMv1 credentials, aiming to encourage organizations to abandon this insecure authentication protocol. Despite its known vulnerabilities, NTLMv1 remains in use. The lookup, available on the Google Cloud Research Dataset portal, allows attackers to reconstruct NT hashes from server responses, enabling key recovery in about 12 hours on a $600 computer, significantly reducing the time and cost compared to traditional brute-force methods.

A vulnerability in Google's Fast Pair feature, dubbed WhisperPair, allows attackers to exploit 17 major headphone and speaker models, potentially enabling them to access microphones, speakers, and track locations. This flaw affects devices from brands like Google, JBL, and Sony. Attackers need only be within Bluetooth range and know the device's model ID. Users are urged to download manufacturer apps for patches, as disabling Fast Pair is not an option. Recommendations include cryptographic enforcement for device pairing.

Researchers from the Belgian University of Leuven identified vulnerabilities in Bluetooth audio accessories using Google Fast Pair, affecting brands like Sony, Jabra, and JBL. The flaw allows attackers to hijack devices without user interaction, potentially enabling eavesdropping and location tracking via Google’s Find Hub. This vulnerability, classified as CVE‑2025‑36911, is critical, requiring firmware updates from manufacturers for mitigation. Users should keep their accessories updated to safeguard against these risks.

Researchers at KU Leuven University warn that Bluetooth audio devices may be vulnerable due to flaws in Google's Fast Pair technology, collectively termed WhisperPair. These vulnerabilities could allow hackers to hijack devices from approximately 46 feet away. Google has issued updates for some products, including Pixel Buds Pro, and recommends users check for firmware updates. The research group received a $15,000 bounty for their findings and is preparing an academic paper. Users can check for affected products on their website.

A vulnerability in Google's Fast Pair system, named "WhisperPair," allows attackers to silently hijack Bluetooth accessories like earbuds and headphones. Researchers from KU Leuven found that many devices do not enforce pairing mode correctly, enabling unauthorized connections. Once paired, attackers can access audio controls and potentially register devices to their accounts. Google is working on firmware updates, but many cheaper devices may not receive patches. The issue highlights flaws in security implementations by manufacturers.

Cisco Talos is monitoring UAT-8837, a China-nexus APT targeting critical infrastructure in North America since 2025. They exploit vulnerabilities and stolen credentials, using open-source tools to steal data and maintain access. Their evolving techniques can bypass traditional defenses, leading to significant risks. Recommendations include keeping systems patched, monitoring for specific tools, and managing credentials and privileges effectively. BreachForums was breached, exposing 324K users. Target's source code was reportedly stolen. Predator spyware learns from failed attacks.

Chinese hackers, identified as UAT-8837 by Cisco Talos, breached multiple North American critical infrastructure organizations over the past year using compromised credentials and exploitable servers. The group exploited vulnerabilities, notably CVE-2025-53690, affecting SiteCore products. Tools like Earthworm were used to expose internal endpoints. Concerns escalated after the Salt Typhoon group compromised an email platform for Congressional staffers. U.S. officials warn of ongoing threats from Chinese government-backed hackers targeting critical infrastructure.

A China-linked advanced persistent threat (APT) actor, UAT-8837, has been targeting North American critical infrastructure, exploiting a zero-day vulnerability in Sitecore (CVE-2025-53690, CVSS 9.0) for initial access. The group uses open-source tools to harvest sensitive information and disable security features like RestrictedAdmin for RDP. Recent activities include exfiltrating DLL-based libraries, raising supply chain compromise concerns. Western governments have issued alerts regarding threats to operational technology environments.

A China-linked advanced persistent threat group, UAT-8837, has been targeting North American critical infrastructure since at least 2025, utilizing exploits and stolen credentials. The group employs various tools, including Earthworm, DWAgent, and Certipy, to maintain access and conduct attacks. Notably, they exploited CVE-2025-53690, a zero-day vulnerability in SiteCore products. Cisco Talos has published Snort Rules and IOCs to help detect and mitigate this threat.

A critical vulnerability in the WordPress Modular DS plugin, tracked as CVE-2026-23550 (CVSS score: 10.0), allows unauthenticated privilege escalation in all versions up to 2.5.1. Exploitation can lead to admin access and potential site compromise. The flaw, rooted in the plugin's routing mechanism, was first detected on January 13, 2026. Users are urged to update to version 2.5.2 to mitigate risks. The vulnerability underscores the dangers of implicit trust in internal request paths exposed to the public internet.

A critical vulnerability in the Modular DS WordPress plugin (CVE-2026-23550) allows unauthenticated privilege escalation, enabling admin takeover. Exploited since January 13, 2026, the flaw affects versions 2.5.1 and earlier, allowing attackers to bypass authentication and access sensitive routes. The issue was resolved in version 2.5.2. Users are urged to update immediately to mitigate risks. The vulnerability underscores the dangers of implicit trust in internal request paths exposed to the internet.

A critical vulnerability (CVE-2026-23550) in the Modular DS WordPress plugin, affecting over 40,000 websites, allows attackers to bypass authentication and gain admin access. Scored 10/10, it has been exploited since January 13, 2026. Users are urged to upgrade to version 2.5.2, released shortly after the vendor was notified. Recommended actions include reviewing indicators of compromise, regenerating WordPress salts and OAuth credentials, and scanning for malicious files.

Security researchers have identified active exploitation of a critical privilege escalation vulnerability in the Modular DS plugin, tracked as CVE-2026-23550, with a CVSS score of 10.0. This flaw allows unauthenticated attackers to gain full admin access to vulnerable WordPress sites. Affected versions are 2.5.1 and earlier. The issue arises from unprotected API routes, enabling access escalation without credentials. The vulnerability was disclosed by Patchstack.

Palo Alto Networks has issued security updates for a high-severity DoS vulnerability (CVE-2026-0227, CVSS 7.7) affecting GlobalProtect Gateway and Portal in PAN-OS software. An unauthenticated attacker can trigger the flaw, causing firewalls to enter maintenance mode. Affected versions include PAN-OS 12.1, 11.2, 11.1, 10.2, and 10.1, as well as Prisma Access 11.2 and 10.2. No workarounds exist, and while there's no evidence of exploitation, devices should be updated due to increased scanning activity.

Palo Alto Networks addressed a high-severity vulnerability, CVE-2026-0227 (CVSS 7.7), affecting GlobalProtect Gateway and Portal, allowing unauthenticated attackers to cause a denial of service (DoS) to the firewall. Exploiting this flaw can force the device into maintenance mode, disrupting network traffic. The vulnerability impacts only PAN-OS or Prisma Access setups with GlobalProtect enabled and does not affect Cloud NGFW. No known active exploits have been reported.

Palo Alto Networks patched CVE-2026-0227, a high-severity DoS vulnerability (7.7/10) in GlobalProtect Gateway and Portal, allowing unauthenticated attackers to force firewalls into maintenance mode. Affected versions include PAN-OS 12.1 < 12.1.3-h3, 11.2 < 11.2.4-h15, and others. The Cloud NGFW is unaffected. No workarounds exist; applying the patch is essential. Currently, there are no reported instances of exploitation.

Palo Alto Networks has released patches for its PAN-OS firewall platform due to a high-severity denial-of-service vulnerability, CVE-2026-0227, rated 7.7 CVSS. This flaw affects customers using PAN-OS NGFW or Prisma Access with GlobalProtect enabled. If unpatched, an unauthenticated attacker could exploit this vulnerability, causing the firewall to enter maintenance mode after repeated attempts. Users are advised to apply the patches to mitigate this risk.

Microsoft has addressed a vulnerability in its Copilot AI assistant that allowed a multistage attack, discovered by Varonis researchers, to exfiltrate sensitive user data with a single click on a malicious URL. The attack extracted information such as the user's name and location from Copilot chat history, bypassing endpoint security measures. The exploit executed immediately upon clicking the link, even if the user closed the chat tab. The attack utilized a crafted URL to embed personal details in web requests.

Researchers identified a "Reprompt" attack that exploits Microsoft Copilot's handling of URL parameters, allowing attackers to hijack a user's session and execute malicious prompts without user input. This vulnerability was addressed in Microsoft's January Patch Tuesday update, with no known exploitation reported. Users are advised to install the update, utilize Microsoft 365 Copilot for enhanced security features, and avoid clicking unsolicited links. Awareness of AI assistants' privacy risks is crucial as they may inadvertently process untrusted inputs.

Cybersecurity researchers have identified a new attack method called Reprompt, enabling single-click data exfiltration from Microsoft Copilot, bypassing security controls. The attack requires only one click on a legitimate link and allows continuous data extraction without further user interaction. Microsoft has addressed the issue, which does not affect Microsoft 365 Copilot users. Recommendations include limiting access to sensitive tools and implementing layered defenses to mitigate risks associated with AI systems.

Security researchers at Varonis discovered a new prompt-injection attack method, named "Reprompt," that compromises Microsoft Copilot with a single click via malicious URL parameters. This attack allows cybercriminals to trick Generative AI tools into leaking sensitive data. Microsoft has since patched the vulnerability, preventing such prompt injection attacks through URLs. The flaw was reported to Microsoft, which acted quickly to mitigate the risk.

A vulnerability in Microsoft Copilot, identified as the 'Reprompt' exploit, allows attackers to steal personal data with a single click via a phishing link. This multi-stage prompt injection can bypass security controls, enabling attackers to request sensitive information even when Copilot is closed. Microsoft has patched the flaw, reported in August 2025. Users are advised to be cautious with shared information and vigilant against phishing attempts, including not clicking unexpected links.

A new attack method called ‘Reprompt’ has been identified by Varonis Threat Labs, allowing attackers to bypass security controls after an initial prompt to an AI copilot. This three-step attack grants undetectable access to sensitive information, highlighting the risks of trusting AI assistants with confidential data. Security researcher Dolev Taler emphasizes that while AI assistants are helpful, their gullibility can be exploited, turning them into tools for data exfiltration.

On January 14, Microsoft announced the disruption of RedVDS, a cybercriminal subscription service linked to over $40 million in fraud losses since March 2025. RedVDS provided tools for phishing and business email compromise (BEC) scams, utilizing AI to enhance attacks. Victims included H2-Pharma and Gatehouse Dock Condominium Association. Microsoft urged victims to report cybercrimes and recommended measures like multi-factor authentication and verifying payment requests to mitigate risks.

Microsoft has disrupted the RedVDS cybercrime platform, linked to over $40 million in fraud losses in the U.S. RedVDS provided disposable virtual computers for cybercriminals, enabling phishing and payment diversion scams. Microsoft, in collaboration with law enforcement, seized domains and servers associated with RedVDS. The platform facilitated attacks on over 191,000 Microsoft email accounts across 130,000 organizations, significantly impacting sectors like real estate and healthcare.

Microsoft has disrupted the RedVDS cybercrime subscription service linked to approximately $40 million in fraud losses since March 2025. This service provided criminals with disposable virtual computers for as low as $24 a month, facilitating high-volume phishing and fraud schemes. Over 191,000 organizations, particularly in real estate and healthcare, faced compromised accounts due to attackers inserting fraudulent payment instructions during email communications. The operation involved collaboration with international law enforcement.

Cybercriminals in Germany executed a boss fraud scheme, gaining access to victims' systems through phishing emails to steal money and sensitive data by impersonating executives or partners. RedVDS allegedly provided an online subscription service for criminals to rent infrastructure, offering access to a virtual disposable computer for $24/month. In one month, over 2,600 RedVDS machines sent approximately one million phishing emails daily to Microsoft customers, affecting users across various platforms.

Microsoft has taken legal action in the U.S. and U.K. against the cybercrime service RedVDS, which has allegedly caused $40 million in fraud losses since March 2025. RedVDS offered disposable virtual computers for as low as $24/month, enabling criminals to conduct phishing, BEC scams, and financial fraud. The service was taken offline, disrupting a network that compromised over 191,000 organizations globally. Microsoft identified various threat actors using RedVDS for sophisticated cyber attacks, leveraging tools like generative AI for deception.

Microsoft, Europol, and German police dismantled the RedVDS cybercrime platform, which facilitated phishing, BEC, and malware distribution, causing $40M in losses in 2025. RedVDS offered disposable Windows cloud servers for as low as $24/month, enabling scalable fraud. Affected organizations include H2-Pharma, which lost $7.3M, and the Gatehouse Dock Condominium Association, which lost nearly $500,000. Criminals used AI for phishing and sent over a million phishing emails monthly, compromising about 200,000 Microsoft customers.

Microsoft has initiated civil actions in the UK and US against RedVDS, a cybercrime-as-a-service platform facilitating phishing and fraud. The operation, in collaboration with Europol and German law enforcement, has led to the seizure of RedVDS's domains and infrastructure. RedVDS has reportedly caused $40 million in fraud losses in the US, affecting over 191,000 organizations globally. Victims include H2-Pharma and Gatehouse Dock Condominium Association. Microsoft aims to combat such services that enable widespread cybercrime.

A joint operation by Microsoft and international law enforcement dismantled a business email compromise (BEC) attack chain using the RedVDS fraud engine. RedVDS provided disposable virtual machines for criminals to send phishing emails and stage payment diversion schemes, affecting over 191,000 organizations globally. The operation seized RedVDS domains and disrupted payment channels, highlighting the importance of targeting shared crime infrastructure to reduce BEC attacks.

Microsoft's Digital Crimes Unit disrupted the RedVDS cyber-crime-as-a-service network, collaborating with UK and US authorities. RedVDS, which offered disposable virtual computers for £18/month, was linked to over 191,000 compromised organizations since September 2025, generating at least $40 million in profits. The service facilitated various cyber-crimes, particularly business email compromise, and utilized AI for targeting and phishing. Two domains were seized, aiding in identifying the perpetrators.

California's Attorney General Rob Bonta has launched an investigation into xAI's Grok AI tool for generating nonconsensual sexually explicit material, including deepfakes of minors. The probe follows similar investigations by Britain's Ofcom and the Paris Prosecutor’s Office. Indonesia and Malaysia announced plans to block access to Grok. Elon Musk stated he is unaware of any illegal images produced by Grok and emphasized the tool's compliance with laws.

California Attorney General Rob Bonta has launched an investigation into xAI, alleging its AI model Grok is used to create nonconsensual sexually explicit images of women and children. The probe focuses on Grok’s “spicy mode,” which generates explicit content. Bonta emphasized the need for immediate action to prevent further dissemination of such material. This announcement follows the Senate's passage of the DEFIANCE Act, allowing victims of nonconsensual deepfakes to pursue civil action.

Elon Musk's xAI will block its Grok AI tool from creating sexualized images of real people following backlash over its misuse to generate explicit imagery. This decision comes amid investigations by California's attorney general and regulatory scrutiny in the UK, Malaysia, and Indonesia. Musk stated Grok is programmed to refuse illegal requests. X's changes will apply to all users, but it's unclear if the standalone Grok app will still allow such images. The UK is set to criminalize the creation of these images.

SpyCloud launched its Supply Chain Threat Protection solution on January 14, 2026, enhancing identity threat protection for organizations and government agencies. This solution offers real-time monitoring of vendor identity exposures, moving beyond static risk assessments. It utilizes data from breaches and malware to identify active threats, addressing a critical gap in enterprise security. The service aims to improve vendor management and incident response, enabling proactive measures against identity threats in supply chains.

SpyCloud has launched Supply Chain Threat Protection, enhancing identity threat defense across vendor ecosystems. This solution provides real-time awareness of identity exposures affecting third-party partners, addressing a critical gap in enterprise security. It aggregates data from breaches and malware, enabling organizations to identify compromised suppliers and assess risks. Key features include an Identity Threat Index, compromised application identification, and integrated response capabilities, facilitating proactive vendor management and incident response.

SpyCloud launched its Supply Chain Threat Protection solution on January 14, 2026, to enhance identity threat visibility for enterprises and government agencies. This solution shifts from static risk scoring to real-time monitoring of vendor identity exposures, leveraging data from breaches and malware. The 2025 Verizon report noted a rise in third-party breaches, emphasizing the need for proactive measures. Key features include an Identity Threat Index and compromised application identification, enabling better vendor management and response capabilities.

Fortinet has addressed a critical OS injection vulnerability in FortiSIEM (CVE-2025-64155, CVSS 9.4) allowing unauthenticated remote code execution. It affects Super and Worker nodes in versions 6.7.0-6.7.10, 7.0.0-7.0.4, 7.1.0-7.1.8, 7.2.0-7.2.6, 7.3.0-7.3.4, and 7.4.0. Users should upgrade to fixed releases. Additionally, a critical flaw in FortiFone (CVE-2025-47855, CVSS 9.3) allows unauthorized access to device configurations. Users are advised to update to the latest versions and limit access to port 7900.

A critical vulnerability (CVE-2025-64155) in FortiSIEM allows unauthenticated remote code execution via crafted CLI requests, exposing systems to root compromise. Discovered by Horizon3.ai, the flaw enables arbitrary file writes and privilege escalation. Affected versions include 7.3.0-7.3.1, 7.2.0-7.2.5, 7.1.0-7.1.7, 7.0.0-7.0.3, and 6.7.0-6.7.9, with recommendations to upgrade to fixed releases. Fortinet advises immediate patching and monitoring for indicators of compromise.

Fortinet addressed two critical vulnerabilities in FortiFone and FortiSIEM. CVE-2025-64155 (CVSS 9.4) allows unauthenticated attackers to execute unauthorized commands via crafted TCP requests in FortiSIEM, affecting versions 7.4.0 and below. CVE-2025-47855 (CVSS 9.3) enables unauthorized access to device configurations in FortiFone through crafted HTTP/HTTPS requests, impacting versions 3.0.24 and 7.0.2. Patches and recommendations for limiting access to affected components were provided.

A critical command injection vulnerability in Fortinet FortiSIEM, tracked as CVE-2025-64155, has been disclosed, allowing unauthenticated remote root access for nearly three years. The flaw affects the phMonitor service, which runs with elevated privileges. Public exploit code was released by Horizon3.ai, revealing that attackers can inject commands and execute arbitrary files as the root user. Fortinet was informed in August 2025, and fixes were released on Tuesday.

A critical vulnerability (CVE-2025-64155) in Fortinet’s FortiSIEM allows unauthenticated remote code execution via crafted TCP requests targeting the phMonitor service. Discovered by Horizon3.ai, it has a publicly released PoC exploit. Fortinet advises upgrading to fixed versions (7.4.1+, 7.3.5+, 7.2.7+, 7.1.9+) or limiting access to port 7900 if upgrades are not possible. The vulnerability does not affect FortiSIEM Cloud or Collector nodes. Indicators of compromise include suspicious phMonitor log entries.

Fortinet FortiSIEM vulnerability CVE-2025-64155 is actively exploited, allowing unauthenticated remote code execution via OS command injection. Attackers target storage configuration endpoints with crafted TCP requests to port 7900, enabling arbitrary file writes and privilege escalation to root. Affected versions include FortiSIEM 6.7 (6.7.0-6.7.10), 7.0 (7.0.0-7.0.4), 7.1 (7.1.0-7.1.8), 7.2 (7.2.0-7.2.6), and 7.3 (7.3.0-7.3.4). Organizations must upgrade immediately and block external access to TCP 7900.

A critical vulnerability in Fortinet FortiSIEM, tracked as CVE-2025-64155, is being actively exploited, following a proof of concept release. The flaw allows unauthorized command execution due to improper neutralization of special elements. Fortinet issued an advisory after researchers from Horizon3.ai disclosed the issue. Previous related vulnerabilities include CVE-2023-34992 and CVE-2024-23108. Despite remediation efforts, Fortinet's measures have not fully addressed the vulnerabilities, which were noted in Black Basta's chat logs.

A proof-of-concept (PoC) exploit for a critical vulnerability (CVE-2025-64155) in Fortinet’s FortiSIEM has been released, allowing unauthenticated remote attackers to execute unauthorized commands on vulnerable systems via crafted TCP requests. Organizations are urged to patch their FortiSIEM deployments immediately to mitigate potential risks. Additionally, Instagram denied reports of a data breach affecting 17.5 million accounts, attributing password reset requests to other issues.

A critical vulnerability in Fortinet FortiSIEM (CVE-2025-64155, CVSS 9.4) allows unauthenticated remote code execution, affecting the phMonitor service. Microsoft disrupted the RedVDS cybercrime service, linked to $40 million in U.S. losses, facilitating phishing and fraud. A new Linux malware, VoidLink, targets cloud environments for long-term access. Researchers identified a Reprompt attack on Microsoft Copilot, enabling data exfiltration. AWS fixed a critical misconfiguration (CodeBreach) risking GitHub repository takeover.

VoidLink is a newly discovered Linux malware targeting cloud environments, featuring 37 plugins and likely developed by a single individual using AI. Check Point Research reported it originated from a Chinese-affiliated environment and was first identified in December. The malware can detect major cloud platforms and includes advanced operational capabilities. Development artifacts indicate it evolved from concept to functional malware in under a week, showcasing the potential for AI-generated malware.

Microsoft's January 2026 Patch Tuesday update addresses 112 vulnerabilities, including 8 critical ones. Notable vulnerabilities include CVE-2026-20805 (information disclosure), CVE-2026-20854 (RCE in LSASS), and CVE-2026-20922 (NTFS RCE). Several critical vulnerabilities involve remote code execution in Microsoft Office applications and Windows services. Talos has released new Snort rules to detect exploitation attempts, with specific rules provided for both Snort 2 and Snort 3.

Microsoft's January 2026 Patch Tuesday update addressed 112 vulnerabilities, including the zero-day CVE-2026-20805, an information disclosure flaw in Desktop Window Manager with a CVSS score of 5.5. This vulnerability can expose sensitive information and is now in the CISA's exploited vulnerabilities catalog. Other notable defects include CVE-2026-20947 and CVE-2026-20963 affecting SharePoint, and CVE-2026-20944 impacting Word. Eight vulnerabilities were flagged as likely to be exploited.

A Windows vulnerability, CVE-2026-20805, allows authorized attackers to leak memory addresses from a remote ALPC port, potentially leading to arbitrary code execution. It has a medium severity rating (5.5 CVSS) and is now in CISA's Known Exploited Vulnerabilities catalog, requiring federal agencies to patch by February 3. Microsoft also disclosed two other vulnerabilities: CVE-2026-21265 (6.4 CVSS) related to secure boot certificate expiration and CVE-2023-31096 (7.8 CVSS) in Agere Modem drivers.

Microsoft's January 2026 Patch Tuesday addressed 113 vulnerabilities, including eight rated "critical." Notably, CVE-2026-20805, a zero-day flaw in the Desktop Window Manager, is actively exploited. Other critical flaws include two Microsoft Office remote code execution vulnerabilities (CVE-2026-20952, CVE-2026-20953). Microsoft removed legacy modem drivers due to CVE-2023-31096. Additionally, CVE-2026-21265 affects Windows Secure Boot, with expiring certificates posing future risks. Mozilla also patched 34 vulnerabilities in Firefox.

Microsoft's January 2026 Patch Tuesday revealed eight critical vulnerabilities, including an actively exploited zero-day. Most vulnerabilities affect Office products, with two SharePoint flaws scoring 8.8 on the CVSS scale. Nick Carroll from Nightwing emphasized the risk posed by SharePoint vulnerabilities, referencing previous exploitation by Chinese APTs using ToolShell against organizations. Immediate attention and patching are recommended to mitigate potential threats.

Microsoft patched a critical zero-day vulnerability in its Desktop Window Manager (DWM) on January 13, 2026, tracked as CVE-2026-20805. This flaw allows low-privilege local attackers to expose sensitive user-mode memory, potentially aiding privilege escalation. It has a CVSS score of 5.5 and affects older Windows versions in extended support. Administrators are urged to prioritize updates and restrict local low-privilege accounts. No public proof-of-concept exists yet.

Microsoft's January 2026 Patch Tuesday addresses 114 vulnerabilities, including CVE-2026-20805, an exploited-in-the-wild information disclosure vulnerability in Windows DWM, rated medium severity (CVSS 5.5). Additionally, CVE-2023-31096, an elevation of privilege vulnerability in legacy Agere modem drivers, has functional exploit code. A critical security feature bypass, CVE-2026-21265, affects Windows Secure Boot, with impending expiration of old root certificates. Visual Studio 2022 LTSC 17.10 and Dynamics CRM 2016 reach end of support.

Microsoft's January 2026 Patch Tuesday addressed 112 security flaws, including eight critical vulnerabilities across various products. Notably, CVE-2026-20805, a Windows flaw, is actively exploited, allowing attackers to leak memory information, potentially aiding further exploits. Other significant vulnerabilities include CVE-2023-31096 and CVE-2024-55414, both allowing elevated privileges via outdated modem drivers, and CVE-2026-21265, related to Secure Boot certificate expiration. Microsoft removed the vulnerable drivers in the update.

Microsoft's January 2026 Patch Tuesday addressed 114 security flaws, including one actively exploited vulnerability (CVE-2026-20805) affecting Desktop Window Manager, rated CVSS 5.5. Eight flaws are Critical, and 106 are Important. Notable vulnerabilities include CVE-2026-21265 (Secure Boot bypass, CVSS 6.4) and CVE-2026-20876 (VBS Enclave privilege escalation, CVSS 6.7). CISA has added CVE-2026-20805 to its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch by February 3, 2026.

Microsoft's January 2026 Patch Tuesday addressed over 100 CVEs, including three zero-days. CVE-2026-20805 is an information disclosure vulnerability in the Desktop Window Manager, allowing local attackers to leak sensitive memory details. CVE-2026-21265 is a security feature bypass related to the expiration of Root of Trust certificates, requiring hardware audits and coordinated updates. CVE-2023-31096 is an elevation of privilege vulnerability in the Agere Modem driver, with patches removing affected drivers.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Microsoft Windows vulnerability CVE-2026-20805 (CVSS Score 8.7) to its Known Exploited Vulnerabilities catalog. This flaw, part of January 2026's Patch Tuesday updates, allows attackers to leak memory information, potentially aiding further exploits. CISA mandates federal agencies to remediate by February 3, 2026, while private organizations are advised to review and address vulnerabilities in their infrastructure.

Microsoft has issued a warning regarding a critical vulnerability (CVE-2026-21265) affecting Windows Secure Boot due to expiring 2011 certificates. This flaw could allow attackers to disrupt boot integrity if not patched. Rated Important (CVSS 6.4), it requires local access and high privileges. Microsoft urges immediate deployment of replacement certificates before mid-2026 to prevent boot-time attacks. Patches are available for legacy Windows Server and extended-support editions, requiring customer action.

U.S. government agencies must patch a vulnerability in Microsoft’s Desktop Windows Manager, tracked as CVE-2026-20805, due to confirmed exploitation by threat actors. CISA added it to its exploited bugs catalog. The vulnerability, part of 113 disclosed on the first Patch Tuesday of 2026, has a severity score of 5.5 and can lead to information leakage. Attackers need local access to exploit it, and the DWM process runs with elevated privileges, facilitating potential attacks. Agencies have until February 3 to patch.

Microsoft's January 2026 Patch Tuesday addressed 115 vulnerabilities, including eight Critical and 106 Important. Key fixes include three zero-day vulnerabilities: CVE-2026-20805 (Desktop Window Manager), CVE-2023-31096 (Agere Soft Modem Driver), and CVE-2026-21265 (Secure Boot). Critical Remote Code Execution flaws in Office and Windows were also patched. Experts emphasize the urgency of applying these updates, particularly for businesses, with the next update scheduled for February 10, 2026.

Microsoft's January 2026 Patch Tuesday addresses 114 vulnerabilities, including one active zero-day flaw (CVE-2026-20805) affecting the Desktop Windows Manager, with a CVSS score of 5.5. This flaw allows unauthorized access to sensitive information. Other notable vulnerabilities include CVE-2026-21265, which could enable malware to run during boot, and CVE-2026-20876, granting hackers elevated privileges. Users are advised to install updates promptly and enhance their online security practices.

A high-risk alert has been issued for Microsoft users due to an active exploit of a vulnerability in the Windows Desktop Window Manager, identified as CVE-2026-20805. This flaw enables attackers with local access to extract sensitive information discreetly. The urgency of the situation is emphasized by the potential for unnoticed exploitation leading to significant damage. Users are advised to take immediate precautions to mitigate risks associated with this vulnerability.

Critical security updates have been released for CVE-2026-20824, a vulnerability in Windows Remote Assistance that allows attackers to bypass the Mark of the Web defense. Disclosed on January 13, 2026, it affects Windows 10 through Windows Server 2025. The flaw requires local access and user interaction, posing confidentiality risks. Microsoft has issued patches for 29 Windows configurations. Patching is urgent, with updates classified as "Required" for security. Exploitation is currently deemed "Less Likely.

CERT-UA reported on PLUGGYAPE malware targeting Ukrainian defense forces from October to December 2025, attributed to the Russian group Void Blizzard. The malware is distributed via Signal and WhatsApp, disguised as charity links. PLUGGYAPE, written in Python, communicates with remote servers using WebSocket or MQTT, with command-and-control addresses stored in base64 on external services. Recent phishing campaigns also involved FILEMESS and GAMYBEAR malware targeting various Ukrainian entities.

Threat actors targeted Ukraine’s Defense Forces with a malware campaign from October to December 2025, using charity-themed social engineering. The PLUGGYAPE backdoor, a Python-based malware, was distributed via fake charity websites, prompting downloads of disguised executable files. The threat group, UAC-0190 (Void Blizzard), utilized sophisticated techniques for persistence and communication, evolving to PLUGGYAPE.V2 with enhanced obfuscation. CERT-UA analysts identified the campaign, highlighting its impact on military personnel.

CERT-UA reported PLUGGYAPE malware attacks targeting Ukraine’s defense forces, attributed with medium confidence to the Russian group Void Blizzard. The attack utilizes social engineering via instant messaging, leading victims to download malicious files disguised as documents. The PLUGGYAPE backdoor, developed in Python, allows remote access and employs MQTT for communication. Recent variants include anti-analysis checks and obfuscation techniques. The report highlights the evolving cyberthreat landscape and the use of legitimate accounts for initial contact.

A widespread Magecart campaign has been identified, targeting users of major credit cards since January 2022. Attackers use seemingly harmless domains to host malicious scripts that replace legitimate payment forms with fake ones, capturing sensitive information. The malware evades detection by deleting itself when a site administrator is logged in. Users are advised to watch for unusual requests to re-enter payment info, while store owners should control script permissions to mitigate risks.

A long-running web skimming campaign, active since January 2022, targets major payment networks including American Express and Mastercard. Researchers from Silent Push found that the campaign uses obfuscated JavaScript to harvest credit card and personal information from e-commerce sites. The skimmer evades detection by checking for WordPress admin elements and manipulates payment forms to trick users. Stolen data is sent to "lasorie[.]com," and the skimmer erases its traces post-exfiltration.

A renewed Magecart attack in 2026 targets e-commerce websites, stealing customer credit card information during checkout. This campaign, active since early 2022, uses JavaScript injection to embed malicious code into sites, activating on checkout pages. It captures sensitive data, including card details and personal information, and employs psychological tactics to mislead victims. The malware evades detection by disabling itself for site administrators, indicating a sophisticated and persistent threat to online retail security.

A Magecart campaign targeting major payment providers, including American Express, Diners Club, Discover, and Mastercard, has been active since early 2022. Attackers inject malicious JavaScript into checkout pages to steal payment data. The campaign exploits vulnerabilities in supply chains and third-party scripts. Recommendations for shoppers include using virtual cards, enabling transaction alerts, and employing strong passwords. Web skimmers can bypass traditional fraud controls, making vigilance essential for both customers and merchants.

Cybersecurity researchers from Check Point Research have identified a sophisticated Linux malware framework named VoidLink, designed for stealthy access to cloud environments. Discovered in December 2025, it features custom loaders, rootkits, and over 30 plugins, enabling adaptability and long-term operations. VoidLink targets major cloud platforms like AWS and Azure, focusing on software developers for data theft and supply chain attacks. Its advanced capabilities include anti-forensics, credential harvesting, and evasion strategies, showcasing high technical expertise from its developers.

A new malware framework named VoidLink, linked to Chinese-affiliated actors, targets Linux-based cloud environments. Discovered by Check Point Research in December 2025, it features over 30 plugins for persistence and operational security. VoidLink can detect various cloud infrastructures, including AWS and Azure, and includes capabilities for reconnaissance, lateral movement, and privilege escalation. Researchers emphasize the need for enhanced security measures in Linux and cloud environments due to this evolving threat.

Researchers have identified a new Linux malware framework named VoidLink, which features over 30 customizable modules for advanced attack capabilities, including stealth, reconnaissance, privilege escalation, and lateral movement. It can target cloud services like AWS, GCP, Azure, Alibaba, and Tencent by examining metadata through vendor APIs. The framework indicates a shift towards targeting Linux systems and cloud infrastructures, suggesting a higher level of sophistication typically associated with professional threat actors.

Check Point Research has identified a sophisticated Linux malware framework named VoidLink, designed for cloud environments. It features over 30 plugins, enabling stealthy, persistent control over compromised systems. VoidLink adapts to various cloud platforms (AWS, Azure, GCP) and targets DevOps engineers and cloud admins by harvesting credentials and metadata. Currently, there is no evidence of active exploitation, suggesting it may be under development for future use, potentially linked to Chinese state-sponsored espionage.

In December 2025, Check Point Research identified VoidLink, a sophisticated Linux malware targeting major cloud providers like AWS, Google Cloud, and Microsoft Azure. Likely developed by a Chinese-affiliated group, it hunts for credentials and can hide within Docker and Kubernetes. VoidLink employs advanced stealth techniques, adapting its behavior based on security software detection. It features a modular design with 37 plugins and can self-delete if analyzed. Experts recommend enhancing cloud defenses against this emerging threat.

A new Linux malware named VoidLink targets cloud infrastructure, featuring over 30 plugins for activities like credential theft and lateral movement. Discovered by Check Point Research in December, it is written in Zig and appears to originate from a Chinese-affiliated environment. VoidLink can delete itself if tampered with and includes advanced capabilities such as kernel-level rootkits and anti-forensics. Its focus on cloud services like AWS and Azure marks a shift in malware targeting, posing significant risks to high-value targets.

Researchers have identified a sophisticated malware framework named VoidLink, targeting Linux cloud servers. Developed by Chinese creators, it operates stealthily within Linux systems and containers, adapting its behavior based on the cloud environment, including Kubernetes and Docker. Check Point's analysis suggests that while the malware is still in development, it is advanced enough to be used soon for cyberespionage or supply-chain attacks, as it can harvest credentials from cloud environments and source code repositories.

ServiceNow patched a critical vulnerability (CVE-2025-12420) in its AI Platform, allowing unauthenticated user impersonation with a CVSS score of 9.3. The flaw was addressed on October 30, 2025, with updates for Now Assist AI Agents (5.1.18+, 5.2.19+) and Virtual Agent API (3.15.2+, 4.0.4+). Discovered by Aaron Costello of AppOmni, there is no evidence of exploitation, but users are urged to apply updates promptly to mitigate risks.

ServiceNow patched a critical vulnerability (CVE-2025-12420) in its AI platform that allowed unauthenticated user impersonation, rated 9.3/10 in severity. Discovered by AppOmni in October 2025, fixes were deployed on Oct. 30, 2025. Affected components include Now Assist AI Agents and Virtual Agent API. Recommendations include upgrading to specific patched versions and implementing security measures like human supervision and agent segmentation to mitigate risks associated with AI configurations.

ServiceNow patched a critical vulnerability (CVE-2025-12420) in its AI Platform, allowing user impersonation with a severity score of 9.3/10. Discovered by AppOmni, the flaw could enable unauthenticated users to perform actions as legitimate users. The patch was deployed on October 30, 2025, for various app versions, including Now Assist AI Agents and Virtual Agent API. No exploitation has been reported yet, but unpatched systems remain at risk.

CISA has warned of active exploitation of a high-severity vulnerability in Gogs, tracked as CVE-2025-8110 (CVSS score: 8.7), allowing code execution via path traversal in the PutContents API. Wiz reported 700 compromised instances among approximately 1,600 exposed servers. No patches are currently available, but code changes are underway. Users are advised to disable open-registration and limit access. Federal agencies must implement mitigations by February 2, 2026.

CISA has issued a critical warning regarding a path traversal vulnerability in Gogs, tracked as CVE-2025-8110, which is actively exploited. This flaw allows attackers to escape restricted directories and execute arbitrary code due to improper symbolic link handling in the PutContents API. Organizations must address this by February 2, 2026, and are urged to apply patches immediately. If no mitigations are available, CISA recommends discontinuing the use of the vulnerable product.

CISA has mandated federal agencies to cease using Gogs or secure it immediately due to a high-severity vulnerability (CVE-2025-8110) that allows authenticated users to overwrite files and achieve remote code execution. Discovered by Wiz researchers, the flaw affects over 700 compromised Gogs instances. Agencies are advised to implement mitigations or discontinue use, as Gogs has not yet issued a fix. The vulnerability exploits a bypass in previous security measures related to symbolic links.

CISA has added Gogs CVE-2025-8110 to its Known Exploited Vulnerabilities catalog, highlighting a critical symlink bypass that allows unauthenticated Remote Code Execution via the PutContents API. Over 700 Gogs servers are compromised, with a severity score of 8.7/10. Federal agencies must patch by February 2, 2026, or cease using the software. The fix, available on GitHub, implements symlink-aware path validation to mitigate the vulnerability.

A high-severity vulnerability in Gogs, tracked as CVE-2025-8110, is actively exploited, allowing authenticated users to overwrite files outside a repository, potentially leading to remote code execution. CISA has added it to its Known Exploited Vulnerabilities catalog. Over 700 Gogs instances are compromised, with no patch currently available. Recommended mitigations include disabling open registration, restricting access, and monitoring unusual API usage. The flaw affects Gogs versions up to 0.13.3.

Cyber-enabled fraud is now the primary concern for corporate executives, surpassing ransomware, according to a World Economic Forum report. In 2025, 73% of respondents reported being affected by cyber-enabled fraud. The report highlights shifting priorities in cybersecurity, with high-resilience organizations focusing on AI risks and low-resilience ones on fraud. Geopolitical risks also influence strategies, with 66% of CEOs adjusting their approaches. Confidence in national responses to major cyber incidents is low, particularly in Latin America.

In 2026, 64% of business leaders assessed AI security risks before deployment, up from 37% the previous year, highlighting AI security's growing priority. The World Economic Forum found 94% believe AI will drive cybersecurity changes, with 87% noting increased vulnerabilities. Geopolitical factors shape cyber risk strategies, especially for larger organizations. Cyber-enabled fraud is the top concern for CEOs, while ransomware remains a primary fear for CISOs. The focus on cyber resilience is emphasized, with 64% meeting minimum standards.

The World Economic Forum's Global Cybersecurity Outlook 2026 highlights the pressures on security teams from AI misuse, geopolitical instability, and cybercrime. AI is seen as both a tool for enhancing security and a source of new vulnerabilities, particularly in data exposure and social engineering. Cyber-enabled fraud, including phishing and identity theft, is a growing concern, with CEOs ranking it as a top risk. Organizations report improved resilience but face challenges from legacy systems and inequities in cyber capabilities across regions.

CEOs are increasingly concerned about cyber-enabled fraud, surpassing ransomware as the top threat, according to the World Economic Forum's Global Cybersecurity Outlook 2026. Nearly 73% of CEOs reported personal exposure to fraud, primarily through phishing (62%) and identity theft (32%). AI-related vulnerabilities are rising rapidly, with 87% noting an increase. Organizations are adapting, with 64% assessing AI security pre-deployment. Geopolitical factors are also reshaping risk strategies, particularly concerning supply chain vulnerabilities.

Businesses are increasingly addressing AI security risks, with 64% assessing risks before deployment, up from 37% last year. The World Economic Forum's 2026 Global Cybersecurity Outlook indicates that 94% believe AI will drive cybersecurity changes. Key concerns include data leaks (34%) and AI vulnerabilities. While 77% use AI for cybersecurity, barriers include skill shortages (54%) and risk uncertainty (39%). Phishing remains the top threat, with emerging risks like deepfake scams noted.

Cyber-attacks, particularly ransomware, remain the top risk for businesses, with 42% of firms citing it as their primary concern, according to the Allianz Risk Barometer. AI-related risks have surged to the second position, reflecting growing awareness of operational, legal, and reputational implications. Companies express a need for significant investment to address AI-driven threats. Additionally, reliance on a few cloud service providers raises concerns about business continuity and supply chain disruptions.

Cybersecurity remains the top risk concern for corporate leaders for the fifth consecutive year, according to Allianz Commercial's annual Risk Barometer. AI has surged to the second position from tenth, reflecting its potential for productivity improvements and new security challenges. The report, based on a survey of over 3,300 experts, indicates that companies face operational, legal, and reputational risks with AI adoption. In the U.S., AI risk ranks fourth, following cybersecurity, business interruption, and regulatory changes.

Mandiant has released AuraInspector, an open-source tool for Salesforce admins to detect misconfigurations that may expose sensitive data. Launched on Monday, it targets access control issues in Salesforce Aura, which can lead to unauthorized data access. The tool automates the identification of potential abuse techniques and offers remediation strategies. AuraInspector operates in a read-only mode, ensuring no modifications to Salesforce instances. Misconfigurations in Aura have been linked to significant data exposure risks.

Google's Mandiant has released AuraInspector, an open-source tool for auditing Salesforce Aura access control misconfigurations in Experience Cloud applications. It examines Aura endpoints to identify excessive data exposure risks, focusing on record list components and object permissions. The tool automates checks for potential misconfigurations, addressing challenges in auditing Salesforce's complex permission structures. AuraInspector is available for free on GitHub.

Mandiant has released AuraInspector, an open-source tool for auditing access-control misconfigurations in Salesforce's Aura framework. It addresses critical security gaps in Salesforce Experience Cloud, where misconfigurations can expose sensitive data. AuraInspector automates detection of these issues, including self-registration endpoints and accessible records, using techniques like GraphQL to bypass record limits. Mandiant advises auditing permissions and following Salesforce security best practices. The tool is available on GitHub.

A critical vulnerability (CVE-2026-21858) in the n8n workflow automation platform could allow attackers to bypass automation, posing a severe risk with a score of 10. Researchers found over 105,000 vulnerable instances, now reduced to about 59,500. The flaw may expose sensitive credentials from services like Salesforce and AWS. Patches were released on Nov. 18, and users are advised to upgrade to version 1.121.0. No evidence of exploitation has been reported.

A critical vulnerability (CVE-2026-21858) in the n8n workflow automation platform exposes over 100,000 instances to remote code execution (RCE) attacks, allowing unauthenticated attackers to execute arbitrary code and take over instances. The flaw, stemming from content-type confusion in webhook handling, affects versions 1.65.0 to 1.120.x. Organizations must upgrade to version 1.121.0 or later immediately and implement security measures like firewalls and monitoring to mitigate risks.

Nearly 60,000 n8n instances are vulnerable to the Ni8mare CVE-2026-21858 flaw, allowing unauthenticated remote server takeover. This maximum-severity vulnerability affects versions 1.65.0 and below, with a fix available in version 1.121.0. Shadowserver reported 59,559 exposed instances as of January 11, 2026, primarily in the US, Europe, and Asia. The only defense is to upgrade, though admins can block attacks by restricting public endpoints. The flaw was discovered in November 2025.